The way we prove who we are online is about to change. The EU Digital Identity (EUDI) Act marks a decisive shift in how identity will be managed, shared and trusted across digital services. For years, businesses have operated within largely centralised identity models – collecting, storing and verifying user data within their own systems. That model is now being fundamentally challenged. With regulated sectors including banking, financial services, healthcare and telecommunications required to accept digital identity wallets by December 2026, individuals will increasingly control what data they share, when they share it, and with whom.
There will, however, be a lag in getting to widespread implementation of these wallets. Rather than a clean handover from one model to another, there will be a period of fragmentation – a limbo in which businesses must simultaneously operate across two different identity frameworks. That transition, and how organisations manage it, will define who is well-positioned when wallet-based identity becomes the standard across regulated sectors.
The tides are changing
The regulatory shift is not happening in isolation. AI-generated synthetic identities accounted for roughly a third of new fintech fraud cases in 2025, while deepfake fraud attempts during digital onboarding increased by more than 300% in the same period. Consumer attitudes were already under pressure before EUDI arrived, with declining trust in digital life and AI-powered fraud now viewed as a greater personal security threat than traditional identity theft.
The result is a consumer base that is increasingly alert to how their data is used, and increasingly unwilling to hand it over. Digital wallets formalise and accelerate this instinct. The ability to share only what a transaction requires, rather than handing over full identity profiles, will eventually move from being a nice to have, to a regulatory requirement. Proving age without disclosing a date of birth and confirming residency without revealing a full address are the kinds of interactions decentralised identity is built to enable.
For sectors already managing sensitive data at scale, there will be no choice but to eventually adapt to this expectation as regulation comes in, but how quickly they can do so without disrupting existing operations will be the decider amongst competition.
Managing the limbo period
This transition phase presents a unique operational challenge. While Member States are required to make at least one certified EU Digital Identity Wallet available by the end of 2026, centralised identity processes don’t simply disappear alongside it. Legacy systems remain essential for governance, audit trails and regulatory compliance, and the verification processes that businesses have built over many years are too deeply embedded to switch off on a fixed timeline.
The businesses that will navigate this most effectively are those that treat orchestration as the solution, not just an approach. What is needed is not another patch on top of legacy identity tooling, but a coherent identity layer capable of connecting centralised systems with decentralised credentials and establishing trust across both. An organisation verifying customers one way today must be equally prepared to do so a different way tomorrow, and the customer should never be able to tell the difference.
This orchestration is made viable through cryptographic verification. Rather than repeatedly transmitting and storing raw identity information, trust is established through cryptographic interaction – reducing overall data exposure, strengthening assurance and maintaining a complete audit trail regardless of which pathway a given customer uses. Done well, that layer simplifies the transition rather than adds to the complexity of it.
Compliance is not the ceiling – it is the floor
EUDI compliance is better understood as a floor, not a ceiling. The underlying principles it encodes, from data minimisation and user control to privacy by design, reflect a wider shift in consumer expectation that extends well beyond the initial rollout phase. Organisations that treat compliance as the objective, rather than the architecture that enables long term trust, will find themselves revisiting these decisions sooner than they expect.
The privacy-preserving dimension matters here in ways that go beyond regulatory box ticking. Centralised identity models accumulate data because they were designed to – each verification touchpoint generates a record, stored and often replicated across systems and third parties. Fraud is estimated to cost the UK economy £219 billion each year, with identity fraud alone accounting for over half of all cases reported. Against this backdrop, every additional copy of sensitive personal data represents exposure to breach, regulatory sanction, and reputational harm linked to compromised identities. Shifting toward verification through cryptographic proof rather than data transfer materially reduces the attack surface while meeting compliance requirements.
Businesses preparing for EUDI compliance should be thinking now about how their identity architecture handles credential verification, how their audit infrastructure captures wallet-based interactions, and how they intend to establish trust with credentials issued by different Member States. The technical specifications are still maturing, and waiting for complete certainty before beginning integration work is a guarantee of deadline pressure later.
The future of digital identity is now
The EUDI Act has accelerated a wider shift that was already underway. Consumer expectations around data control were already moving in this direction, this was driven by the growing recognition that holding identity data in one place makes it an increasingly attractive target for sophisticated fraud. The decentralised model, where individuals hold verified credentials and present only what is needed, addresses both pressures simultaneously.
For businesses in banking, healthcare, telecoms and beyond, the organisations that invest now in the orchestration layer that bridges both models will emerge from the transition with infrastructure that is more resilient, more privacy-preserving and better aligned with where consumer trust is heading. The identity landscape is being rebuilt, and the question is whether businesses are building with it or waiting to be retrofitted.
Gonzalo Alonso
Gonzalo Alonso is CEO at Ditto where he is leading the company’s transformation into a revenue-positive, mobile-first identity platform that prioritises zero-trust and privacy-first principles.
